From 20d41ebae4eb28269298504c68db511a05ec4969 Mon Sep 17 00:00:00 2001 From: Paul Holden Date: Mon, 4 Oct 2021 23:33:51 +0100 Subject: [PATCH] MDL-72370 badges: require sesskey to remove related badge. --- badges/related_action.php | 1 + badges/renderer.php | 14 +++++++------- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/badges/related_action.php b/badges/related_action.php index 8011aed57d5b3..28d8d9d6ee41b 100644 --- a/badges/related_action.php +++ b/badges/related_action.php @@ -36,6 +36,7 @@ require_capability('moodle/badges:configuredetails', $context); if ($action == 'remove') { + require_sesskey(); $badge->delete_related_badge($relatedid); } diff --git a/badges/renderer.php b/badges/renderer.php index 81b733024d466..2d0616259f4fa 100644 --- a/badges/renderer.php +++ b/badges/renderer.php @@ -1104,13 +1104,13 @@ protected function render_badge_related(\core_badges\output\badge_related $relat ); if (!$currentbadge->is_active() && !$currentbadge->is_locked()) { $action = $this->output->action_icon( - new moodle_url('related_action.php', - array( - 'badgeid' => $related->currentbadgeid, - 'relatedid' => $badge->id, - 'action' => 'remove' - ) - ), new pix_icon('t/delete', get_string('delete'))); + new moodle_url('/badges/related_action.php', [ + 'badgeid' => $related->currentbadgeid, + 'relatedid' => $badge->id, + 'sesskey' => sesskey(), + 'action' => 'remove' + ]), + new pix_icon('t/delete', get_string('delete'))); $actions = html_writer::tag('div', $action, array('class' => 'badge-actions')); array_push($row, $actions); }